Duplicating a working configuration on new server

[noelx99]

I have a server behind a firewall in a datacenter with an FTP setup. It's been working since 2009 without an issue.

Filezilla is accessed by several different manufacturing plants. An automated process that is part of a custom program uploads small bits of information every 10 minutes or so. Another automated process logs in repeatedly during normal business hours to gather the info.

An update caused the server to crash and we had to rebuild it. I installed Filezilla, stopped the service, copied the Filezilla Settings.xml into the right folder and restarted it. All of the users and settings were correct.

Nothing on the firewall was changed.

But now I get an occasional (intermittent) error: 421 Can't Create Socket. It happens maybe once out of 10 times. Here's a section of the log that shows the error.

**************
(000204) 8/15/2011 0:00:13 AM - (not logged in) (100.31.191.1)> USER myusername
(000204) 8/15/2011 0:00:13 AM - (not logged in) (100.31.191.1)> 331 Password required for myusername
(000204) 8/15/2011 0:00:14 AM - (not logged in) (100.31.191.1)> PASS ***********
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 230 Logged on
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> FEAT
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 211-Features:
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> MDTM
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> REST STREAM
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> SIZE
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> MLST type*;size*;modify*;
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> MLSD
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> AUTH SSL
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> AUTH TLS
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> UTF8
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> CLNT
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> MFMT
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 211 End
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> PWD
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 257 "/" is current directory.
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> PBSZ 0
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 200 PBSZ=0
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> PROT P
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 200 Protection level set to P
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> TYPE A
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 200 Type set to A
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> CWD /Jane/FileStore
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 250 CWD successful. "/Jane/Filestore" is current directory.
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> PASV
(000204) 8/15/2011 0:00:14 AM - myusername (100.31.191.1)> 421 Can't create socket
(000204) 8/15/2011 0:00:15 AM - myusername (100.31.191.1)> disconnected.

**************

We are using passive mode and the port range is limited. It's currently set from 49152-49162. From everything I've read on the forums, that's too small a range and I should make it wider.

BUT - it's worked since 2009 with that range. While I could make it wider and I could open my firewall more, the other companies with the automated processes have 49152-49162 opened in their firewalls. I'd just as soon not have them make a change and then find that wasn't the solution. It seems to me that it's either a setting in Filezilla Server or something on the server itself.

I'm using FileZilla Server version 0.9.32 beta (this is the same version we used on the old server)
We're using FTPS to connect. (I use client v 2.2.32, however, the automated clients use custom software.)
It's running on Windows Server2008 (same version we had on the old server)

Any ideas what could cause this? If it's the same version with the same settings on the same OS? What else could factor in?

Any help or suggestions is appreciated.

Thanks,
Jane

[botg]

Please update to the most recent version. We cannot possible support outdated versions.

[noelx99]

I was using 0.9.39, but when I saw the errors, I stepped back to 0.9.32 because I knew it worked in the previous configuration. I was trying to "keep all things equal" right now. If I can't get this, I'll try 0.9.39 again.

Two questions that you might be able to help with:

How does Filezilla determine the port to use? Does it just take the next one in line? Does it ask the OS for a port?

The one difference I'm seeing between our old configuration an new is that it's on Sever 2008R2 rather than Server 2008. One thing we're wondering is if R2 might hold onto the sockets longer than 2008 did...causing intermittent problems in our narrow range that we never experienced before.

Thanks.

[botg]

If you have not configured a port range, the operating system is asked for a port. Otherwise it picks some free port in the range of ports, search is usually done linear.

According to the TCP specifications, sockets enter the TIME_WAIT state after being closed, during which the socket pair, comprised of the quadruple of local and remote IP addresses and ports, cannot be re-usedand port period they cannot be reused. If I remember correctly, that time is 4 minutes or so.

As server, when transferring files in passive mode, you have control over the local port, but not over the remote port. Worst-case, remote client uses a fixed source port. Thus the passive mode port range need to be large enough so that the total number of transfers done in the TIME_WAIT period does not exceed the port interval.

[boco]

I was using 0.9.39, but when I saw the errors, I stepped back to 0.9.32 because I knew it worked in the previous configuration. I was trying to "keep all things equal" right now. If I can't get this, I'll try 0.9.39 again.

This was also meant for the client. 2.2.32 is several years out of support.

[noelx99]

What we found is that Server 2008R2 is "stepping on" on range we were using. In windows server 2008, we were successfully using 49152-49162 as our Filezilla port range.

But we found that R2 is using 49152-49155 for system stuff. Our errors were caused when Filezilla tried to access ports that Windows had taken over. Right now, we're running a test with a very narrow port range (49156-49162) without a problem. (We only really have three users)

We've tried updating to a newer client a while ago...but we had trouble with that because we need the FTPES - FTP over explicit TLS/SSL setting and that didn't exist in one of the newer versions we tried.

Thanks for your help. Your fast responses are much appreciated.

[boco]

We've tried updating to a newer client a while ago...but we had trouble with that because we need the FTPES - FTP over explicit TLS/SSL setting and that didn't exist in one of the newer versions we tried.

The current FileZilla 3.5.0 does fully support FTP, FTPES, FTPS and SFTP.